How the cookie crumbles for FSA regulated firms

Updated July 2011

The Financial Services Authority (FSA) has steadily been shifting its focus from a principles based approach of regulation, to credible deterrence. Data protection compliance, or a lack thereof, is a comparably easy breach for the FSA to pin on regulated firms. As a result there have been a number of data protection related fines from the FSA.

We all remember the hefty fine placed on a Building Society in 2007 for failing to effectively manage its information security risks, following the theft of a laptop from an employee's home. Since this enforcement action, the UK branch of one of Europe's largest insurers was initially fined £3.25 million last year for failing to prevent the loss of customers’ confidential information, losing 46,000 policy holders' personal details. This fine was the highest levied to date on a single firm for data security failings.

It is therefore important for those firms affected by the Privacy and Electronic Communications Regulations to ensure that they are fully compliant with the revised Regulations to avoid being caught in enforcement action by the FSA or indeed the Information Commissioner’s Office (ICO). 

As a result of the revised Privacy and Electronic Communications Regulations, website operators must get visitors’ express or opt in consent to store cookies on users’ computers. Previously, cookies could be installed as long as users had been given the opportunity to opt out and had been provided with information about how the cookies would be used.

Consent is not required when a cookie is strictly necessary to deliver a service which has been requested. However the ICO considers this is a narrow exception which will only apply to a small range of activities, such as the use of cookies in online shopping baskets.

The user will not be treated as having given consent if the user’s browser settings have not been changed to block cookies, as the ICO considers most browser settings are not sophisticated enough to demonstrate the requisite level of consent.

The revised Regulations came into force on 26 May 2011 but the ICO has published guidance stating that enforcement powers will not be exercised until May 2012. This period is intended to allow time for the development of technical solutions to enable firms to comply. However the ICO will not condone firms who delay action until next year.

What steps should firms consider taking?

The ICO advises that the following steps be taken by firms:

• Conduct an audit of the types of cookies used and how they are used.
• Assess how intrusive the use of each cookie is.
• Decide on the best method of gaining consent – the more the use of the cookie relates to the visitor’s personal information the more you need to do to obtain meaningful consent.

The ICO’s guidance document suggests various options to obtain user’s consent including pop-ups and similar techniques, the use of terms and conditions and the use of scrolling text to draw users' attention to information about cookies.

If the firm’s website allows a third party to set cookies on a users' device, the process of obtaining consent is more complex and it is likely the firm will need to work together with the third party to ensure appropriate consent is obtained. This could for example be relevant where advertising agencies place cookies on a firm’s website in order to serve targeted advertising.

Enforcement

Although the ICO has made it clear that it will not take enforcement action until May 2012, firms are expected to take steps now to ensure compliance and warnings may be issued to firms that are not making adequate preparation. These warnings will be taken into account if enforcement action is required after May 2012. That enforcement action may include a fine of up to £500,000. Failure to comply could also lead to action from consumer groups and ongoing investigations into other data protection breaches.

Therefore firms are advised to consider the changes and put in place a realistic plan to achieve compliance. The ICO has stated that it expects to receive complaints about cookies in the period prior to May 2012 and firms will be asked to explain the steps being taken to ensure that they will be in a position to comply by May 2012.

Meanwhile the Commissioner will continue to consider complaints about contraventions and, with the FSA, enforce the current requirement that information be provided to users about cookies. As this is a high profile change to the law the ICO is likely to receive complaints and be vigorous in taking action in the coming months.

Firms will naturally want to avoid unnecessary regulatory attention by complying with the revised Regulations. If the FSA finds a breach of data protection (or other statutory obligation) it may be encouraged to investigate other potential systems and controls breaches.

TLT is offering a review service to assist you in identifying the best means of obtaining consent given the types of cookies used on your website and general compliance. If you would like more information about our review or other services, or if you have any queries on the forthcoming changes please contact Nicola Fincham or Suzanne Macdonald.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.